b'        EVALUATION REPORT\n\n                   Independent Evaluation of NRC\xe2\x80\x99s\n                     Implementation of the Federal\n                   Information Security Management\n                        Act for Fiscal Year 2010\n\n                   OIG-11-A-03 November 9, 2010\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                            UNITED STATES\n                    NUCLEAR REGULATORY COMMISSION\n                            WASHINGTON, D.C. 20555-0001\n\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                         November 9, 2010\n\n\n\nMEMORANDUM TO:            R. William Borchardt\n                          Executive Director for Operations\n\n\nFROM:                     Stephen D. Dingbaum /RA/\n                          Assistant Inspector General for Audits\n\n\nSUBJECT:                  INDEPENDENT EVALUATION OF NRC\xe2\x80\x99S\n                          IMPLEMENTATION OF THE FEDERAL INFORMATION\n                          SECURITY MANAGEMENT ACT (FISMA) FOR FISCAL\n                          YEAR 2010 (OIG-11-A-03)\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) report titled, Independent\nEvaluation of NRC\xe2\x80\x99s Implementation of the Federal Information Security Management\nAct for Fiscal Year 2010.\n\nThe report presents the results of the subject evaluation. Agency comments provided\nduring a November 5, 2010, exit conference have been incorporated, as appropriate,\ninto this report.\n\nPlease provide information on actions taken or planned on the recommendations within\n30 days of the date of this memorandum. Actions taken or planned are subject to OIG\nfollowup as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\nevaluation. If you have any questions or comments about our report, please contact me\nat 415-5915 or Beth Serepca, Team Leader, at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nEdwin M. Hackett, Executive Director, Advisory Committee\n  on Reactor Safeguards\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety\n  and Licensing Board Panel\nStephen G. Burns, General Counsel\nBrooke D. Poole, Director, Office of Commission Appellate Adjudication\nJames E. Dyer, Chief Financial Officer\nHubert T. Bell, Inspector General\nMargaret M. Doane, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nR. William Borchardt, Executive Director for Operations\nMichael F. Weber, Deputy Executive Director for Materials, Waste,\n  Research, State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director\n  for Corporate Management, OEDO\nMartin J. Virgilio, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nNader L. Mamish, Assistant for Operations, OEDO\nKathryn O. Greene, Director, Office of Administration\nPatrick D. Howard, Director, Computer Security Office\nRoy P. Zimmerman, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n  and Environmental Management Programs\nCheryl L. McCrary, Director, Office of Investigations\nThomas M. Boyce, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nMichael R. Johnson, Director, Office of New Reactors\nCatherine Haney, Director, Office of Nuclear Material Safety\n  and Safeguards\nEric J. Leeds, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJames T. Wiggins, Director, Office of Nuclear Security\n  and Incident Response\nMarc L. Dapas, Acting Regional Administrator, Region I\nLuis A. Reyes, Regional Administrator, Region II\nMark A. Satorius, Regional Administrator, Region III\nElmo E. Collins, Jr., Regional Administrator, Region IV\n\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              for Fiscal Year 2010\n\n\n\n\n                                Contract Number: GS-00F-0001N\n                                 Delivery Order Number: 20291\n\n                                                 November 05, 2010\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                                    Independent Evaluation of\n                                                                     NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n        On December 17, 2002, the President signed the E-Government Act of 2002, which\n        included the Federal Information Security Management Act (FISMA) of 2002.1 FISMA\n        outlines the information security management requirements for agencies, which include\n        an annual independent evaluation of an agency\xe2\x80\x99s information security program2 and\n        practices to determine their effectiveness. This evaluation must include testing the\n        effectiveness of information security policies, procedures, and practices for a\n        representative subset of the agency\xe2\x80\x99s information systems. FISMA requires the annual\n        evaluation to be performed by the agency\xe2\x80\x99s Inspector General (IG) or by an independent\n        external auditor. Office of Management and Budget (OMB) memorandum M-10-15, FY\n        2010 Reporting Instructions for the Federal Information Security Management Act and\n        Agency Privacy Management, dated April 21, 2010, requires the agency\xe2\x80\x99s Office of the\n        Inspector General (OIG) to report their responses to OMB\xe2\x80\x99s annual FISMA reporting\n        questions for OIGs via an automated collection tool.\n\n        Richard S. Carson & Associates, Inc. (Carson Associates), performed an independent\n        evaluation of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA\n        for fiscal year (FY) 2010. This report presents the results of that independent evaluation.\n        Carson Associates also submitted responses to OMB\xe2\x80\x99s annual FISMA reporting questions\n        for OIGs via OMB\xe2\x80\x99s automated collection tool.\n\n        This report reflects the status of the agency\xe2\x80\x99s information system security program as of\n        the completion of fieldwork on September 30, 2010.\n\nPURPOSE\n\n        The objective of this review was to perform an independent evaluation of the NRC\xe2\x80\x99s\n        implementation of FISMA for FY 2010.\n\nRESULTS IN BRIEF\n\n        Program Enhancements and Improvements\n\n        Over the past 8 years, NRC has continued to make improvements to its information\n        system security program and continues to make progress in implementing the\n        recommendations resulting from previous FISMA evaluations. The agency has\n        accomplished the following since the FY 2009 FISMA independent evaluation:\n\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  For the purposes of FISMA, the agency uses the term \xe2\x80\x9cinformation system security program.\xe2\x80\x9d\n\n\n                                                      i\n\x0c                                                                          Independent Evaluation of\n                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n            The agency continued to make significant progress in certifying and accrediting\n            its systems. For the first time since 2001, when reporting on certification and\n            accreditation began under Government Information Security Reform Act\n            (GISRA), all NRC operational systems, including all contractor systems for which\n            NRC has direct oversight, have a current certification and accreditation. In FY\n            2010, the agency completed certification and accreditation of three existing\n            agency systems and two new systems, and reaccredited four agency systems. As\n            of the completion of fieldwork for FY 2010, all 25 operational NRC information\n            systems and all 3 systems used or operated by a contractor or other organization\n            on behalf of the agency had a current certification and accreditation.\n            The agency completed or updated security plans for all of the agency\xe2\x80\x99s 25\n            operational systems and for all 3 contractor systems.\n            The agency completed annual security control testing for all agency systems and\n            for all contractor systems.\n            The agency completed annual contingency plan testing for all but one agency\n            system and for all contractor systems, including updating the contingency plans.\n            The agency issued several new Computer Security Office processes including the\n            NRC Agency-wide Continuous Monitoring Program, the NRC Security Impact\n            Assessment Process, and the NRC Plan of Action and Milestones (POA&M)\n            Process.\n\n     Program Weakness\n\n     While the agency has continued to make improvements in its information system security\n     program and has made progress in implementing the recommendations resulting from\n     previous FISMA evaluations, the independent evaluation identified one information\n     system security program weakness \xe2\x80\x93 a repeat finding from several previous independent\n     evaluations: the agency\xe2\x80\x99s POA&M program still needs improvement.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s information system security program and implementation of FISMA. A\n     consolidated list of recommendations appears on page 39 of this report.\n\nAGENCY COMMENTS\n\n     At an exit conference on November 5, 2010, agency officials agreed with the report\xe2\x80\x99s\n     findings and recommendations and provided a few editorial changes, which the OIG\n     incorporated as appropriate. The agency opted not to submit formal comments.\n\n\n\n\n                                             ii\n\x0c                                                                      Independent Evaluation of\n                                                       NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nCarson Associates   Richard S. Carson & Associates, Inc.\nCIO                 Chief Information Officer\nCIS                 Center for Internet Security\nCISO                Chief Information Security Officer\nCSIRT               Computer Security Incident Response Team\nCSO                 Computer Security Office\nDISA                Defense Information Systems Agency\nFDCC                Federal Desktop Core Configuration\nFIPS                Federal Information Processing Standard\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nGISRA               Government Information Security Reform Act\nIAS                 Information Assurance System\nIATO                Interim Authorization to Operate\nIG                  Inspector General\nISS                 Information System Security\nISSO                Information Systems Security Officer\nIT                  Information Technology\nLoB                 Line of Business\nMD                  Management Directive\nMOU                 Memorandum of Understanding\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nNSA                 National Security Agency\nNSICD               NRC System Information Control Database\nOIG                 Office of the Inspector General\nOIS                 Office of Information Services\nOMB                 Office of Management and Budget\nPII                 Personally Identifiable Information\nPMM                 Project Management Methodology\nPOA&M               Plan of Action and Milestones\nSCAP                Security Content Automation Protocol\nSGI                 Safeguards Information\nSP                  Special Publication\nUS-CERT             United States Computer Emergency Readiness Team\n\n\n\n                                          iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                                          Independent Evaluation of\n                                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ..................................................................................... iii\n\n1 Background .............................................................................................................. 1\n2 Purpose .................................................................................................................... 1\n3 Findings .................................................................................................................... 1\n  3.1 FISMA Systems Inventory .............................................................................. 2\n            Agency System Inventory \xe2\x80\x93 Background .................................................................................... 3\n            The NRC Inventory Interface Information Meets FISMA Requirements ................................... 4\n    3.2     Status of Certification and Accreditation Program (Question 1) ................ 5\n            All NRC Systems Have a Current Certification and Accreditation ............................................. 9\n    3.3     Status of Security Configuration Management (Questions 2 and 3) ........ 10\n            The NRC Security Configuration Management Program Is Generally Consistent with\n                NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA Requirements ........................................................................ 11\n    3.4     Status of Incident Response and Reporting Program (Question 4) ......... 16\n            The NRC Incident Response and Reporting Program Is Generally Consistent with NIST\xe2\x80\x99s\n                and OMB\xe2\x80\x99s FISMA Requirements..................................................................................... 16\n    3.5     Status of Security Training Program (Question 5) ..................................... 18\n            The NRC Security Training Program Is Generally Consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\n                FISMA Requirements ........................................................................................................ 18\n    3.6     Status of POA&M Program (Question 6) ..................................................... 21\n            Agency POA&M Process \xe2\x80\x93 Background ................................................................................... 21\n            FINDING \xe2\x80\x93 The Agency\xe2\x80\x99s POA&M Program Still Needs Improvement (Repeat Finding) ..... 23\n            NRC Progress in Correcting Weaknesses Reported on Its POA&Ms Is Improving ................. 26\n    3.7     Status of Remote Access Program (Question 7) ........................................ 26\n            The NRC Remote Access Program Is Generally Consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\n                FISMA Requirements ........................................................................................................ 27\n    3.8     Status of Account and Identity Management Program (Question 8) ........ 28\n            The NRC Account and Identity Management Program Is Generally Consistent with\n                NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA Requirements ........................................................................ 28\n    3.9     Status of Continuous Monitoring Program (Question 9) ........................... 30\n            The NRC Continuous Monitoring Program Is Generally Consistent with NIST\xe2\x80\x99s and\n                OMB\xe2\x80\x99s FISMA Requirements ........................................................................................... 30\n            NRC Has Completed Annual Security Control Testing for All Agency Systems and for\n                All Contractor Systems ...................................................................................................... 32\n            NRC Has Updated Security Plans for All Agency Systems and for All Contractor Systems ... 32\n    3.10 Status of Contingency Planning Program (Question 10) ........................... 33\n            The NRC Contingency Planning Program Is Generally Consistent with NIST\xe2\x80\x99s and\n                OMB\xe2\x80\x99s FISMA Requirements ........................................................................................... 34\n\n\n\n                                                                      v\n\x0c                                                                                                         Independent Evaluation of\n                                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n            Annual Contingency Plan Testing Was Completed for Almost All Agency Systems and\n               All Contractor Systems ...................................................................................................... 34\n    3.11 Status of Agency Program To Oversee Contractor Systems (Question\n         11) ................................................................................................................... 35\n            The NRC Program To Oversee Contractor Systems Is Generally Consistent with NIST\xe2\x80\x99s\n                and OMB\xe2\x80\x99s FISMA Requirements..................................................................................... 36\n            Agency Oversight of Contractor Systems Meets FISMA Requirements ................................... 37\n4 Consolidated List of Recommendations ............................................................. 39\n5 Agency Comments ................................................................................................ 41\n\n\nAppendix.                SCOPE AND METHODOLOGY................................................................... 43\n\n\n\nList of Tables\n\n\n\n\n                                                                     vi\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n1      Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included\nFederal Information Security Management Act (FISMA) of 2002. FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. FISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Inspector\nGeneral (IG) or by an independent external auditor. Office of Management and Budget (OMB)\nmemorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management, dated April 21, 2010, requires the agency\xe2\x80\x99s\nOffice of the Inspector General (OIG) to report their responses to OMB\xe2\x80\x99s annual FISMA\nreporting questions for OIGs via an automated collection tool.\n\nRichard S. Carson & Associates, Inc. (Carson Associates), performed an independent evaluation\nof the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA for fiscal year (FY)\n2010. This report presents the results of that independent evaluation. Carson Associates also\nsubmitted responses to OMB\xe2\x80\x99s annual FISMA reporting questions for OIGs via OMB\xe2\x80\x99s\nautomated collection tool.\n\nThis report reflects the status of the agency\xe2\x80\x99s information system security program as of the\ncompletion of fieldwork on September 30, 2010.\n\n2      Purpose\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2010. The appendix contains a description of the evaluation scope and\nmethodology.\n\n3      Findings\n\nOver the past 8 years, NRC has continued to make improvements to its information system\nsecurity program and continues to make progress in implementing the recommendations\nresulting from previous FISMA evaluations. The agency has accomplished the following since\nthe FY 2009 FISMA independent evaluation:\n\n       The agency continued to make significant progress in certifying and accrediting its\n       systems. For the first time since 2001, when reporting on certification and accreditation\n       began under the Government Information Security Reform Act (GISRA), all NRC\n       operational systems, including all contractor systems for which NRC has direct oversight,\n       have a current certification and accreditation. In FY 2010, the agency completed\n       certification and accreditation of three existing agency systems and two new systems, and\n       reaccredited four agency systems. As of the completion of fieldwork for FY 2010, all 25\n       operational NRC information systems and all 3 systems used or operated by a contractor\n       or other organization on behalf of the agency had a current certification and accreditation.\n\n\n\n                                                 1\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n         The agency completed or updated security plans for all of the agency\xe2\x80\x99s 25 operational\n         systems and for all 3 contractor systems.\n         The agency completed annual security control testing for all agency systems and for all\n         contractor systems.\n         The agency completed annual contingency plan testing for all but one agency system and\n         for all contractor systems, including updating the contingency plans.\n         The agency issued several new Computer Security Office (CSO) processes including the\n         NRC Agency-wide Continuous Monitoring Program, the NRC Security Impact\n         Assessment Process, and the NRC Plan of Action and Milestones (POA&M) Process.\n\nWhile the agency has continued to make improvements in its information system security\nprogram and has made progress in implementing the recommendations resulting from previous\nFISMA evaluations, the independent evaluation identified one information system security\nprogram weakness \xe2\x80\x93 a repeat finding from several previous independent evaluations: the\nagency\xe2\x80\x99s POA&M program still needs improvement.\n\nThe following sections present the detailed findings from the independent evaluation and are\norganized based on the OIG section of the OMB FISMA reporting tool. Beginning with Section\n3.2, each major section corresponds to a question or set of questions from the IG section of the\nOMB FISMA reporting tool. Each section is introduced with a table that contains the OMB\nrequirement as stated in the OMB FISMA reporting tool . Findings are presented in the sections\nto which they are relevant.\n\n3.1      FISMA Systems Inventory\n\nFor FY 2010, OMB did not ask the OIGs to provide an evaluation of the quality of the agency\xe2\x80\x99s\nsystem inventory. However, as FISMA requires agencies to develop and maintain an inventory\nof major information systems operated by or under the control of such agency, this evaluation\nincludes an assessment of the NRC system inventory to determine if it meets FISMA\nrequirements.\n\nAs of completion of fieldwork, NRC had 25 operational systems that fall under FISMA reporting\nrequirements.3 Of the 25, 8 are general support systems,4 and 17 are major applications.5 NRC\nhad three systems operated by a contractor or other organization on behalf of the agency (one\nmajor application and two general support systems). Of the three, one is operated by a federally\nfunded research and development center, and two are operated by private contractors. As\nrequired by FISMA, Carson Associates selected a subset of NRC systems and contractor systems\nfor evaluation during the FY 2010 FISMA independent evaluation.\n\n3\n  NRC also has a number of major applications and general support systems currently in development. For FISMA\n  reporting purposes, only operational systems are considered.\n4\n  A general support system is an interconnected set of information resources under the same direct management\n  control that share common functionality. Typical general support systems are local and wide area networks,\n  servers, and data processing centers.\n5\n  A major application is a computerized information system or application that requires special attention to security\n  because of the risk and magnitude of harm that would result from the loss, misuse, or unauthorized access to or\n  modification of the information in the application.\n\n\n                                                          2\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\n                 Table 3-1. Total Number of Agency and Contractor Systems\n                                    and Number Reviewed\n                              by FIPS 199 System Impact Level\n                                                                            Total Number of\n                                                                           Systems (Agency\n                         Agency Systems         Contractor Systems\n                                                                            and Contractor\n                                                                               Systems)\n   FIPS 199 System      Total       Number       Total       Number        Total        Number\n     Impact Level      Number      Reviewed     Number      Reviewed      Number       Reviewed\n         High              9           1            1           1            10             2\n       Moderate           16           2            1           0            17             2\n          Low              0           0            1           0             1             0\n    Not Categorized        0           0            0           0             0             0\n         Total            25           3            3           1            28             4\n\nAgency System Inventory \xe2\x80\x93 Background\n\nFISMA requires agencies to develop and maintain an inventory of major information systems\noperated by or under control of the agency. The inventory must include an identification of the\ninterfaces between each such system and all other systems or networks, including those not\noperated by or under the control of the agency. The inventory must be updated at least annually\nand must also be used to support information resources management.\n\nManagement Directive (MD) and Handbook 12.5, NRC Automated Information Security\nProgram, also define requirements for the agency\xe2\x80\x99s inventory of automated information systems.\nThe agency\xe2\x80\x99s inventory must identify all interfaces between each system and all other systems\nand networks, including those not operated by or under the control of the agency. MD and\nHandbook 12.5 also require the agency Chief Information Officer (CIO) to establish procedures\nfor interconnection of any information technology (IT) device or system with the NRC IT\ninfrastructure systems. MD and Handbook 12.5 also specify requirements for connections to the\nNRC network infrastructure. Written management authorization is required before establishing a\nconnection between the NRC IT infrastructure and another system that is not NRC controlled.\nConnections to other Government-owned systems also may require the establishment of a\nmemorandum of understanding (MOU).\n\nTo address findings from previous independent evaluations regarding the agency\xe2\x80\x99s inventory, the\nagency developed an automated inventory system, the NRC System Information Control\nDatabase (NSICD), to house the inventory of automated information systems. The agency\ninventory is maintained and updated at least annually. The agency issues data calls twice a year,\ntypically in January and August. Data call packages include an explanation of the data fields\nfound on the data call inventory sheets and instructions on how to verify and enter the data. The\nagency also developed several procedures and guides to assist NRC offices with the data calls\nand to assist the agency in maintaining the inventory data in NSICD.\n\n\n\n                                                3\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nThe NRC Inventory Interface Information Meets FISMA Requirements\n\nThe FY 2008 FISMA independent evaluation found that very little interface information was\nincluded in NSICD and that the interface information in NSICD was inconsistent with the\ninterface information included in system security plans. In response to recommendations from\nthe FY 2008 independent evaluation, the agency updated NSICD to include interface information\nfor all systems in the NRC inventory. The agency also developed a guide for the CSO\nadministrative staff for entering data into security records within NSICD to ensure interface\ninformation is consistent with interface information in security plans and risk assessments.\nHowever, the FY 2009 FISMA independent evaluation found that the majority of the interface\nwas still inconsistent with information found in IT security documentation, as well as with\ninterface information within NSICD. While there was more interface information in NSICD\nthan was found during the FY 2008 independent evaluation, the information was still incomplete\nand inconsistent.\n\nThe FY 2009 FISMA independent evaluation recommended that the two recommendations from\nthe FY 2008 FISMA independent evaluation regarding system interfaces remain open until the\nagency corrected the inconsistencies that still existed in the inventory information in NSICD and\nuntil the procedures developed to ensure interface information in NSICD is consistent with\ninterface information in security plans and risk assessments are further refined. The FY 2009\nFISMA independent evaluation further recommended that the agency develop and implement\nprocedures to ensure interface information is kept up-to-date. The agency completed updating\ninterface information in NSICD with the most recent security plans and updated the NRC\nAdministrative Guide for Entering Data into NSICD with additional guidance on entering\ninterface information into NSICD, including procedures to ensure interface information is kept\nup-to-date. The agency\xe2\x80\x99s continuous monitoring program also includes requirements for\nreviewing system interfaces.\n\nCarson Associates reviewed security plans for 11 systems to identify the interfaces for those\nsystems. Carson Associates then reviewed the records for those systems in NSICD to determine\nif the agency\xe2\x80\x99s inventory included the interfaces identified in the security plans. Carson\nAssociates also analyzed the interface information in NSICD for consistency within the\ninventory. For example, if system 1 listed interfaces with systems 2, 3, and 4, then those systems\nshould also list an interface with system 1.\n\nCarson Associates found that the majority of the interface information for the 11 systems\nreviewed was consistent with information found in IT security documentation, as well as with\ninterface information within NSICD, and that the interface information was up-to-date.\n\n\n\n\n                                                4\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n3.2    Status of Certification and Accreditation Program (Question 1)\n\n                                                                                           OIG\n                                 OMB Requirement\n                                                                                         Response\n 1a. The Agency has established and is maintaining a certification and\n accreditation program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\n FISMA requirements. Although improvement opportunities may have been\n identified by the OIG, the program includes the following eight attributes:\n 1. Documented policies and procedures describing the roles and responsibilities\n     of participants in the certification and accreditation process.\n 2. Establishment of accreditation boundaries for agency information systems.\n 3. Categorizes information systems.\n 4. Applies applicable minimum baseline security controls.\n 5. Assesses risks and tailors security control baseline for each system.\n                                                                                              X\n 6. Assessment of the management, operational, and technical security controls in\n     the information system.\n 7. Risks to Agency operations, assets, or individuals analyzed and documented in\n     the system security plan, risk assessment, or an equivalent document.\n 8. The accreditation official is provided (i) the security assessment report from\n     the certification agent providing the results of the independent assessment of\n     the security controls and recommendations for corrective actions; (ii) the plan\n     of action and milestones from the information system owner indicating actions\n     taken or planned to correct deficiencies in the controls and to reduce or\n     eliminate vulnerabilities in the information system; and (iii) the updated\n     system security plan with the latest copy of the risk assessment.\n 1b. The Agency has established and is maintaining a certification and\n accreditation program. However, the Agency needs to make significant\n improvements as noted below.\n 1c. The Agency has not established a certification and accreditation program.\n\n\n\n\n                                                5\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nCertification and Accreditation \xe2\x80\x93 Background\n\nThe security certification and accreditation of information systems is integral to an agency\xe2\x80\x99s\ninformation security program and is an important activity that supports the risk management\nprocess required by FISMA. Information systems under development must be certified and\naccredited prior to becoming operational. Operational information systems must be recertified\nand reaccredited every 3 years in accordance with Federal policy6 and whenever there is a\nsignificant change7 to the information system or its operational environment.\n\nThe following diagram8 illustrates the key activities, including certification and accreditation, in\nmanaging enterprise-level risk, i.e., risk resulting from the operation of an information system.\nAs illustrated in the diagram, the National Institute of Standards and Technology (NIST) has\ndeveloped several standards and guidelines to support the management of enterprise risk. NIST\nSpecial Publication (SP) 800-37, Guide for the Security Certification and Accreditation of\nFederal Information Systems, provides guidelines for certification and accreditation.\n\n\n\n\n6\n  OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal\n  Automated Information Resources.\n7\n  Examples of significant changes to an information system that should be reviewed for possible reaccreditation\n  include (1) installation of a new or upgraded operating system, middleware component, or application; (2)\n  modifications to system ports, protocols, or services; (3) installation of a new or upgraded hardware platform or\n  firmware component; and (4) modifications to cryptographic modules or services. Changes in laws, directives,\n  policies, or regulations, while not always directly related to the information system, can also potentially affect the\n  system security and trigger a reaccreditation action.\n8\n  The diagram was adapted from a diagram found in the NIST presentation \xe2\x80\x9cBuilding More Secure Information\n  Systems: A Strategy for Effectively Applying the Provisions of FISMA,\xe2\x80\x9d dated July 29, 2005\n  (http://csrc.nist.gov/sec-cert/PPT/fisma-overview-July29-2005.ppt).\n\n\n                                                            6\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\nSecurity certification is a comprehensive assessment of the management, operational, and\ntechnical security controls9 that are planned or in place in an information system to determine the\nextent to which the controls are (1) implemented correctly, (2) operating as intended, and (3)\nproducing the desired outcome with respect to meeting the security requirements for the\ninformation system. The results of a security certification are used to reassess the risks and\nupdate the system security plan, thus providing the factual basis for an authorizing official10 to\nrender a security accreditation decision. Security certification can include a variety of\nassessment methods (e.g., interviewing, inspecting, studying, testing, demonstrating, and\nanalyzing) and associated assessment procedures depending on the depth and breadth of\nassessment required by the agency.\n\nSecurity accreditation is the official management decision given by a senior agency official to\n(1) authorize operation of an information system and (2) explicitly accept the risk to agency\noperations, agency assets, or individuals based on the implementation of an agreed-upon set of\nsecurity controls. By accrediting an information system, an agency official accepts responsibility\nfor the information system\xe2\x80\x99s security.\n\nThere are three types of accreditation decisions that can be rendered by authorizing officials: (1)\nauthorization to operate, (2) interim authorization to operate (IATO), and (3) denial of\nauthorization to operate.\n\n         Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n         certification, the authorizing official deems that the risk to agency operations, agency\n         assets, or individuals is acceptable.\n         Interim Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n         certification, the authorizing official deems that the risk to agency operations, agency\n         assets, or individuals is unacceptable, but there is an overarching mission necessity to\n         place the information system into operation or continue its operation. An IATO is\n         rendered when the security vulnerabilities identified in the information system (resulting\n         from deficiencies in the planned or implemented security controls) are significant but can\n         be addressed in a timely manner. An IATO provides a limited authorization to operate\n         the information system under specific terms and conditions and acknowledges greater\n         risk to the agency for a specified period of time. In accordance with OMB policy, an\n         information system is not accredited during the period of limited authorization to operate.\n         The duration established for an IATO should be commensurate with the risk to agency\n         operations, agency assets, or individuals associated with the operation of the information\n         system. When the security-related deficiencies have been adequately addressed, the\n         IATO should be lifted and the information system authorized to operate.\n\n9\n  Management controls are the safeguards or countermeasures that focus on the management of risk and the\n   management of information system security. Operational controls are the safeguards or countermeasures that\n   primarily are implemented and executed by people (as opposed to systems). Technical controls are the safeguards\n   or countermeasures that are primarily implemented and executed by the information system through mechanisms\n   contained in the hardware, software, or firmware components of the system.\n10\n   The agency refers to the authorizing official as the designated approving authority. OMB refers to the authorizing\n   official as the accreditation official.\n\n\n                                                          7\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n       Denial of Authorization to Operate \xe2\x80\x93 issued if, after assessing the results of the security\n       certification, the authorizing official deems that the risk to agency operations, agency\n       assets, or individuals is unacceptable. The information system is not accredited and\n       should not be placed into operation. If the information system is currently operational, all\n       activity should be halted.\n\nThe NRC Certification and Accreditation Program Is Generally Consistent with NIST\xe2\x80\x99s\nand OMB\xe2\x80\x99s FISMA Requirements\n\nIn order to evaluate the agency\xe2\x80\x99s certification and accreditation program, Carson Associates\nreviewed the certification and accreditation process and procedures located on the agency\xe2\x80\x99s\nproject management methodology (PMM) Web site, and reviewed accreditation decision\nmemoranda issued by the agency\xe2\x80\x99s authorizing official. NRC\xe2\x80\x99s certification and accreditation\nprogram is documented on its PMM Web site and is part of the agency\xe2\x80\x99s Information System\nSecurity (ISS) program. The objectives of the ISS program are to:\n\n       Implement appropriate security measures to protect NRC information and information\n       systems.\n       Ensure that security measures provide the appropriate level of protection and reliable\n       access to NRC information and information systems by authorized individuals, and only\n       by authorized individuals, and operate as intended.\n       Ensure that senior agency officials exercise due diligence over information security for\n       the information and information systems that support the operations and assets under\n       their control.\n\nThe PMM Web site includes workflows for the authority to operate process and the continuous\nmonitoring process. Each workflow includes a work breakdown structure, team allocations, and\nwork product usage information. The PMM Web site includes templates for all required\ncertification and accreditation artifacts. The PMM Web site also includes guidance on the use of\ncommon and inheritable controls.\n\nTo determine if the agency is managing and operating a certification and accreditation program\nin compliance with its policies, we reviewed the certification and accreditation documents for the\nfour systems selected for evaluation during the FY 2010 independent evaluation. We also\nreviewed the agency\xe2\x80\x99s continuous monitoring process, including the requirement for annual\nsecurity control testing, annual contingency plan testing, and annual security plan updates.\nCarson Associates found that the certification and accreditation documents for the four systems\nselected for evaluation were in compliance with agency policy, with a few minor deviations.\nThe agency has been provided detailed information on any deviations from policy that were\nidentified. Based on certification and accreditation documents that were reviewed, Carson\nAssociates determined that the NRC certification and accreditation program includes the eight\nattributes specified in the OMB requirement.\n\nCarson Associates also determined that for the four systems selected for evaluation, the\nauthorizing official was presented with the security assessment report, the POA&M, and the\nupdated security plan with the latest copy of the risk assessment.\n\n\n                                                8\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\nAll NRC Systems Have a Current Certification and Accreditation\n\nPrevious evaluations found that the majority of NRC information systems were not certified and\naccredited. The lack of certification and accreditations for the majority of the agency\xe2\x80\x99s systems\nwas reported as a significant deficiency in the FY 2006 and FY 2007 FISMA independent\nevaluation reports. In FY 2008, just over half of the agency\xe2\x80\x99s operational NRC information\nsystems, including all contractor system for which NRC has direct oversight, had a current\ncertification and accreditation. In FY 2009, all but one of the operational NRC information\nsystems had a current certification and accreditation, and all three contractor system for which\nNRC has direct oversight had a current certification and accreditation.\n\nIn FY 2010, the agency completed certification and accreditation of three agency systems and\ntwo new systems, and recertified and accredited four agency systems.\n\nFor the first time since 2001, when reporting on certification and accreditation began under\nGISRA, all NRC operational systems, including all contractor system for which NRC has direct\noversight, have a current certification and accreditation.\n\n                Table 3-2. Total Number of Systems and Number Reviewed\n                    That Have a Current Certification and Accreditation\n                             by FIPS 199 System Impact Level\n          FIPS 199 System                                       Total           Number\n                                 Agency       Contractor\n            Impact Level                                       Number          Reviewed\n                High                9               1             10                2\n              Moderate             16               1             17                2\n                Low                 0               1             1                 0\n          Not Categorized           0               0             0                 0\n                Total              25               3             28                4\n\n\n\n\n                                                9\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n3.3         Status of Security Configuration Management (Questions 2 and 3)\n\n                                                                                                          OIG\n                                          OMB Requirement\n                                                                                                        Response\n 2a. The Agency has established and is maintaining a security configuration\n management program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA\n requirements. Although improvement opportunities may have been identified by\n the OIG, the program includes the following six attributes\n 1. Documented policies and procedures for configuration management.\n 2. Standard baseline configurations.                                                                       X\n 3. Scanning for compliance and vulnerabilities with baseline configurations.\n 4. FDCC baseline settings fully implemented and/or any deviations from FDCC\n     baseline settings fully documented.\n 5. Documented proposed or actual changes to the configuration settings.\n 6. Process for the timely and secure installation of software patches.\n 2b. The Agency has established and is maintaining a security configuration\n management program. However, the Agency needs to make significant\n improvements as noted below.\n 2c. The Agency has not established a security configuration management\n program.\n\nFISMA requires agencies to develop policies and procedures that ensure compliance with\nminimally acceptable system configuration requirements as determined by the agency. NIST SP\n800-53, Recommended Security Controls for Federal Information Systems and Organizations,\nrequires organizations to (1) establish mandatory configuration settings for information\ntechnology products employed within the information system, (2) configure the security settings\nof information technology products to the most restrictive mode consistent with operational\nrequirements, (3) document the configuration settings, and (4) enforce the configuration settings\nin all components of the information system.\n\nThe agency has also posted guidance on the NRC internal Web site requiring the use of\nhardening specifications for the different operating systems and software in use at the agency.\nHardening specifications in use at the agency include benchmarks developed by the Center for\nInternet Security (CIS), the Defense Information Systems Agency (DISA) Gold Disk,11 National\nSecurity Agency (NSA) security configuration guides, and custom hardening specifications\ndeveloped by the agency. The NRC requires the use of standard baseline configurations for any\ninformation system that stores, transmits/receives, or processes NRC information. In the absence\nof CSO-defined standard baseline configurations, the agency allows DISA standards, checklists,\nand guidance to be used. In the absence of both CSO and DISA configuration information, the\nagency allows CIS benchmarks to be used.\n\n11\n      The DISA Gold Disk is a tool that allows a system administrator to scan a system for vulnerabilities, make\n     appropriate security configuration changes, and apply security patches. The Gold Disk uses an automated process\n     that configures a system in accordance with DISA Security Technical Implementation Guidelines.\n\n\n                                                           10\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nThe NRC Security Configuration Management Program Is Generally Consistent with\nNIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA Requirements\n\nIn order to evaluate the agency\xe2\x80\x99s security configuration management program, Carson Associates\nreviewed the configuration management process and procedures located on the agency\xe2\x80\x99s PMM\nWeb site, and reviewed draft configuration management guidelines and processes currently in\ndevelopment. To determine if the agency\xe2\x80\x99s configuration management program includes the six\nattributes specified in the OMB requirement, in addition to the agency\xe2\x80\x99s configuration\nmanagement guidelines and processes, we reviewed the certification and accreditation\ndocuments for the four systems selected for evaluation during the FY 2010 independent\nevaluation.\n\nDocumented Policies and Procedures\n\nNRC maintains an agency Master Configuration Management Plan that defines the configuration\nmanagement procedures for NRC projects from inception to decommissioning. The Master\nConfiguration Management Plan outlines the use of Rational ClearCase for version control and\nchange management for all software projects at NRC. The approach and processes for managing\nand versioning configuration items associated with systems and application during the operations\nand maintenance phase of its lifecycle are described. The Master Configuration Management\nPlan is disseminated via the agency Intranet. The NRC certification and accreditation program\nrequires all systems to have a security plan that includes supporting documents such as a\nconfiguration management plan.\n\nThe agency is in the process of updating its configuration policies and procedures and has issued\nthe following draft guidance and processes:\n\n       CSO-GUID-1315, NRC Configuration Management Guidance.\n       CSO-PROS-1316, Configuration Change Control.\n       CSO-PROS-1317, Configuration Item Identification and Documentation.\n       CSO-PROS-1319, Configuration Audit and Review.\n\nStandard Baseline Configurations\n\nThe NRC requires the use of standard baseline configurations for any system that stores,\ntransmits/received, or processes NRC information. The CSO has developed the following\nstandard baseline configurations:\n\n       NRC Blackberry Enterprise Server and Handheld Configuration Standard.\n       Stealth MXP Thumb Drive Configuration Standard.\n       NRC Classified Laptop Configuration Standard.\n       NRC Safeguards Information (SGI) Laptop Configuration Standard.\n       NRC General Laptop Configuration Standard.\n       NRC General Laptop Configuration Guidance.\n\n\n                                               11\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n       Linux Red Hat Hardening Guidelines.\n       VMWare ESX Server Hardening Guidelines.\n       Microsoft Windows 2003 Servers.\n       Microsoft Windows 2008 Servers.\n       Microsoft SQL Server 2005/2008 Configuration Standards.\n       Network Multi-Function Device and Printer Configuration Standards.\n       NRC Web 2.0 Implementation Standard.\n       NRC YouTube Standard.\n\nIn the absence of CSO-defined standard baseline configurations, the agency allows DISA\nstandards, checklists, and guidance to be used. In the absence of both CSO and DISA\nconfiguration information, the agency allows CIS benchmarks to be used.\n\nScanning for Compliance and Vulnerabilities\n\nTo determine if the agency is scanning for compliance and vulnerabilities with baseline\nconfigurations, Carson Associates reviewed the security test and evaluation results for the four\nsystems selected for evaluation in FY 2010. Carson Associates also examined the vulnerability\nassessment reports prepared in support of security test and evaluation for the four systems.\n\nThe agency performs a vulnerability assessment during security control testing, which includes\nvulnerability scans, penetration tests, and hardening checks using the following tools:\n\n       Cenzic Hailstorm \xe2\x80\x93 A Web application security testing tool to assess the implementation\n       of Web application security policies.\n       CIS Benchmarks \xe2\x80\x93 NRC-approved security hardening specifications for a variety of\n       platforms and software, prepared by CIS (http://www.cisecurity.org/).\n       CORE Impact Penetration Testing Tool \xe2\x80\x93 A specialized penetration testing tool that\n       provides automated testing of known exploits against detected platforms, protocols, and\n       services.\n       DISA Gold Disk \xe2\x80\x93 A Department of Defense tool that tests Windows-based hosts for\n       compliance with the DISA Gold standard, including file and registry access control and\n       auditing settings, running services, installed applications and patches, and user rights.\n       nCircle \xe2\x80\x93 A vulnerability scanning tool to assess configurations, applications,\n       vulnerabilities, and system integrity. nCircle supports automated compliance checklists\n       and remediation using the Federal Government\xe2\x80\x99s Security Content Automation Protocol\n       (SCAP).\n       NRC Hardening Guidelines \xe2\x80\x93 Agency approved best practices customized for the\n       implementation of secure configurations on information systems unique to the NRC.\n       NSA Guides \xe2\x80\x93 Guides containing recommended security settings for certain platforms,\n       prepared by NSA.\n\n\n\n\n                                                12\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n            Tenable Nessus Vulnerability Scanner \xe2\x80\x93 A general-purpose scanning tool that provides\n            information on network-based vulnerabilities.\n            ThreatGuard \xe2\x80\x93 A vulnerability scanning tool to assess Federal Desktop Core\n            Configuration (FDCC) compliance. ThreatGuard supports automated compliance\n            checklists and remediation using the Federal Government\xe2\x80\x99s SCAP.\n\nFDCC Baseline Settings and Deviations\n\nCarson Associates reviewed several agencywide announcements and determined that the agency\nhas adopted and implemented FDCC standard configurations. Carson Associates reviewed the\nagency\xe2\x80\x99s FDCC compliance reports to OMB and to NIST and determined that the agency has\ndocumented deviations. For example, on April 6, 2009, the agency\xe2\x80\x99s designated approving\nauthority approved a deviation from FDCC regarding password aging. The agency adjusted the\nFDCC password to a longer time period (from 60 to 90 days) while retaining the existing\nminimum password length and password complexity requirements. The rationale for the change\nwas to reduce the burden on the user community associated with the shorter password age.\n\nIn response to a recommendation regarding the implementation of FDCC at NRC from the FY\n2008 FISMA independent evaluation, the CSO in coordination with the Office of Information\nServices (OIS) developed the following standards and provided them on the CSO Web page:\n\n            Configuration standards for NRC laptops.\n            Guidance for general laptops.\n            Procedures for applying critical updates to SGI laptops.\n            An SGI Stand Alone Listed System Minimum Security Checklist to ensure appropriate\n            laptop configuration.\n            Standard system security plans for NRC laptops.\n            Laptop security policy provided via memorandum to office directors and regional\n            administrators and yellow announcement to staff.\n\nOIS procedures require the use of standard images for desktop and laptop computers. All\ncomputers connected to the NRC network receive FDCC settings through the use of group policy\nobject settings.12 Computers that are not attached to the network (standalone systems) are loaded\nwith these controls as part of the standard configuration image and additional controls are\nimplemented through local security policy.\n\nIn addition, the agency uses NIST-validated SCAP scanning tools to verify that the agency is\ncompliant with FDCC for both OIS centrally managed and region/program office managed\ncomputer assets. CSO runs the NIST approved scanning tools against the agency\xe2\x80\x99s image for\nstandalone computers and against the agency\xe2\x80\x99s general support systems and major applications\n\n12\n     Group policy is a feature of Microsoft\xe2\x80\x99s operating systems and is a set of rules that control the working\n     environment of user and computer accounts. It provides centralized management and configuration of operating\n     systems, applications, and users\xe2\x80\x99 settings in an Active Directory environment. Active Directory is a feature of\n     Microsoft\xe2\x80\x99s operating systems that provides a variety of network services.\n\n\n                                                           13\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nduring system certification and accreditation and throughout continuous monitoring and\nquarterly security scanning, as required by FISMA. The CSO is currently fielding its\nInformation Assurance System (IAS) to provide real-time assessment of FDCC compliance for\nnetworked computers as part of its continuing monitoring assurance activities. The completion\nof the IAS will provide agencywide, real-time FDCC assessments. The SCAP and FDCC\ncompliance tools will be part of the CSO IAS, which is scheduled to be deployed early FY 2011.\n\nCSO updated the continuous monitoring process to include criteria to evaluate system owner\ncompliance with required security controls. The annual continuous monitoring reviews of each\noffice and their respective systems includes an assessment of the implementation of required\nsecurity controls on standalone PCs and laptops. FDCC configurations are now required for all\nMicrosoft Windows XP Professional installations that connect to the NRC network either\ninternally or remotely. All standalone workstations/laptops must meet the NRC laptop\nconfiguration standards.\n\nDocuments Proposed or Actual Changes to Configuration Settings\n\nTo determine if the agency documents proposed or actual changes to configuration settings,\nCarson Associates reviewed the security test and evaluation results for the four systems selected\nfor evaluation in FY 2010, specifically the test results for the CM-3 control, Configuration\nChange Control. This control requires organizations to authorize, document, and control\nchanges to the information system. Of the four systems reviewed, this control was in place for\nthree systems and planned for one system. The control was not in place for the one system\nprimarily because the process for approving changes to configuration settings was not\ndocumented. The actual changes themselves are documented. Based on our review of the\nsecurity test and evaluation results, the agency documents proposed or actual changes to\nconfiguration settings.\n\nProcess for Timely and Secure Software Patch Installation\n\nTo determine if the agency has a process for timely and secure software patch installation,\nCarson Associates reviewed the security test and evaluation results for the four systems selected\nfor evaluation in FY 2010, specifically the test results for the SI-2 control, Flaw Remediation.\nThis control requires organizations to identify, report, and correct information system flaws. Of\nthe four systems reviewed, this control was in place for one system, planned for two systems,\nand not applicable for one system. The agency is in the process of remediating the missing\npatches identified during testing for one system, with a target completion date of March 2011,\nand has recently completed the system-specific procedures for detecting, recording, and\ncorrecting information system flaws for the other system in which this control was identified as\ninadequate.\n\nIn addition, the agency uses the System Center Configuration Manager patch management\nsystem to keep desktop configurations consistent across NRC. Network Bulletins are used to\nannounce agency workstation updates. The announcements describe the nature of the upgrade\nand whether or not a workstation restart is required after the patches are installed. Many other\nagency systems rely on the agency\xe2\x80\x99s IT infrastructure system for patch installation.\n\n\n\n                                                14\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\nBased on our review of the security test and evaluation results, the agency has a process for\ntimely and secure software patch installation.\n\nBaselines Reviewed (Question 3)\n\nTo identify which baselines to review, Carson Associates identified the following operating\nsystems, platforms, and systems in use in the four systems selected for evaluation in FY 2010 by\nreviewing the system security plans, security test and evaluation plans and reports, security\nassessment reports, vulnerability assessment reports, risk assessments, and other system security\ndocumentation:\n\n       Cisco IOS.\n       HP-UX.\n       Microsoft Internet Information Services.\n       Microsoft SQL Server 2000.\n       Microsoft SQL Server 2005.\n       Microsoft Windows Server 2000.\n       Microsoft Windows Server 2003.\n       Novell NetWare.\n       Novell eDirectory.\n       Red Hat Linux.\n       Windows XP.\n\nCarson Associates then reviewed the baselines in use by NRC relevant to the above listed\noperating systems, platforms, and systems. While the agency has established required baselines\nfor additional operating systems, platforms, and systems, Carson Associates could only form an\nopinion on the baselines for those operating systems, platforms, and systems found in the four\nsystems selected for evaluation in FY 2010.\n\n\n\n\n                                                15\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n3.4    Status of Incident Response and Reporting Program (Question 4)\n\n                                                                                            OIG\n                                 OMB Requirement\n                                                                                          Response\n 4a. The Agency has established and is maintaining an incident response and\n reporting program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA\n requirements. Although improvement opportunities may have been identified by\n the OIG, the program includes the following five attributes:\n 1. Documented policies and procedures for responding and reporting to\n     incidents.                                                                                X\n 2. Comprehensive analysis, validation and documentation of incidents.\n 3. When applicable, reports to US-CERT within established timeframes.\n 4. When applicable, reports to law enforcement within established timeframes.\n 5. Responds to and resolves incidents in a timely manner to minimize further\n     damage.\n 4b. The Agency has established and is maintaining an incident response and\n reporting program. However, the Agency needs to make significant improvements\n as noted below.\n 4c. The Agency has not established an incident response and reporting program.\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes procedures for detecting, reporting, and responding to security\nincidents.\n\nOn May 2, 2008, the agency issued a revised policy on computer security incident response and\npersonally identifiable information (PII) incident response. The policy provides direction for\nresponding to computer security incidents affecting the NRC\xe2\x80\x99s systems, networks, and users, as\nwell as PII incidents and will be included in the next revision of MD and Handbook 12.5. The\nrevised policy contains timeframes for responding to incidents, based on the criticality of the\naffected resources and the incident; formally establishes a Computer Security Incident Response\nTeam (CSIRT) to respond to incidents; and outlines the CSIRT\xe2\x80\x99s security incident response\nprocess. The CSIRT includes staff from the following offices: CSO, OIS, Office of\nAdministration, and Office of Nuclear Security and Incident Response. The policy also specifies\nwhen the OIG should be involved in addressing a computer security incident.\n\nThe NRC Incident Response and Reporting Program Is Generally Consistent with NIST\xe2\x80\x99s\nand OMB\xe2\x80\x99s FISMA Requirements\n\nIn order to evaluate the agency\xe2\x80\x99s incident response and reporting program, Carson Associates\nreviewed the agency\xe2\x80\x99s policies, procedures and guidance related to incident response and\nreporting. To determine if the agency\xe2\x80\x99s incident response and reporting program includes the\nfive attributes specified in the OMB requirement, in addition to the agency\xe2\x80\x99s incident response\nand reporting policies, procedures, and guidelines, we reviewed the annual security control test\n\n\n\n\n                                                16\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nreport for the agency\xe2\x80\x99s common controls. Incident response policies and procedures are\nprovided at the agency level for all NRC information systems.\n\nIn addition to issuing the revised policy on computer security incident response and PII incident\nresponse and forming CSIRT, the agency developed the following policies and guidelines related\nto detecting, reporting, and responding to security incidents. These documents include guidance\non reporting incidents internally, reporting incidents to US-CERT, and reporting to law\nenforcement.13\n\n           Information Systems Security Incident Response Procedures, May 11, 2004 (Appendix B\n           from MD and Handbook 12.5).\n           CSIRT Responder Guide, Version 1.2, August 4, 2009.\n           CSIRT Standard Operating Procedures, Version 1.0, October 30, 2008.\n\nThe CSO also maintains an incident response Web site that provides information on incident\nresponse, including what to do if a user discovers a virus; suspicious e-mail; the deliberate or\ninadvertent release of sensitive, classified, or safeguards information; or missing IT equipment.\n\nThe agency uses a variety of tools to detect and respond to cyber security incidents, and the\nCSIRT conducts periodic incident response testing. The test results are documented and include\na description of the scenario and responses to scenario questions on preparation; response and\nanalysis; containment, eradication, and recovery; and forensics. The test results also include a\nchecklist of actions that should have been taken during the exercise and documented lessons\nlearned.\n\nBased on our analysis, Carson Associates determined that the NRC incident response and\nreporting program includes the five attributes specified in the OMB requirement.\n\n\n\n\n13\n     CSIRT does not report incidents directly to law enforcement. If an incident might warrant reporting to law\n     enforcement, CSIRT notifies the OIG Computer Crimes Unit, which then decides whether or not external law\n     enforcement should be involved.\n\n\n                                                          17\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n3.5    Status of Security Training Program (Question 5)\n\n                                                                                             OIG\n                                  OMB Requirement\n                                                                                           Response\n 5a. The Agency has established and is maintaining a security training program\n that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements.\n Although improvement opportunities may have been identified by the OIG, the\n program includes the following six attributes:\n 1. Documented policies and procedures for security awareness training.\n 2. Documented policies and procedures for specialized training for users with\n     significant information security responsibilities.\n                                                                                                X\n 3. Appropriate training content based on the organization and roles.\n 4. Identification and tracking of all employees with login privileges that need\n     security awareness training.\n 5. Identification and tracking of employees without login privileges that require\n     security awareness training.\n 6. Identification and tracking of all employees with significant information\n     security responsibilities that require specialized training.\n 5b. The Agency has established and is maintaining a security training program.\n However, the Agency needs to make significant improvements as noted below.\n 5c. The Agency has not established a security training program.\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes security awareness training to information personnel, including\ncontractors and other users of information systems that support the operations and assets of the\nagency. The security awareness training must inform personnel of information security risks\nassociated with their activities; and their responsibilities in complying with agency policies and\nprocedures designed to reduce these risks.\n\nThe NRC Security Training Program Is Generally Consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nFISMA Requirements\n\nIn order to evaluate the agency\xe2\x80\x99s security training program, Carson Associates reviewed the\nagency\xe2\x80\x99s policies, procedures, and guidance related to security training. To determine if the\nagency\xe2\x80\x99s security training program includes the six attributes specified in the OMB requirement,\nin addition to the agency\xe2\x80\x99s security training policies, procedures, and guidelines, we reviewed the\nannual security control test report for the agency\xe2\x80\x99s common controls. Security awareness\ntraining policies and procedures are provided at the agency level for all NRC information\nsystems.\n\nAll new NRC employees (including onsite contractors, interns, and summer hires) are required to\nattend orientation the first day they report for duty. During the orientation, employees are given\na brief presentation on a variety of NRC IT-related policies that includes a discussion on\nappropriate use of IT equipment. In addition, a representative from the Office of the General\n\n\n                                                 18\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nCounsel presents a session on ethics that includes additional discussions on appropriate use of\nthe Internet. In addition, all NRC computer users, including Federal employees, detailees,\ninterns, and contractors, are required to take an annual online computer security awareness\ncourse.\n\nThe agency also routinely issues network announcements on various security topics, including\nhoax e-mail messages, phishing and spear phishing, spam, and the risks of using thumb drives.\nIn the spring of 2009, NRC began publishing a quarterly IT security newsletter, FRONTLINE.\nThe newsletters will provide the NRC with IT security awareness tips and techniques for\nprotecting one\xe2\x80\x99s information.\n\nFor FY 2010, all NRC computer users, including Federal employees, detailees, interns, and\ncontractors, were required to take an online computer security awareness course. All NRC\nemployees and support contractors having network accounts were required to complete the\ncourse within 60 days of the course\xe2\x80\x99s availability, with a target cutoff date of August 3, 2010, for\ncompletion of the course. The self-paced course consisted of two modules \xe2\x80\x93 a general computer\nsecurity awareness training module develop by another Government agency for governmentwide\nuse, and an NRC-specific module tailored to address the IT protection of SGI and rules of\nbehavior for all users of NRC computing resources. Completion of both modules was required\nto fulfill the annual computer security awareness training requirement. The agency also prepared\na list of differences between NRC policy and the course content of the first module as a\ncompanion document to the FY 2010 training. Office training coordinators were required to\ntrack completion of the computer security awareness course and report weekly completion\npercentages to the CSO. In an announcement dated August 4, 2010, the agency reported 5,007\nusers had completed the FY 2010 computer security awareness course \xe2\x80\x93 the equivalent of 98\npercent of NRC computer users. The CSO\xe2\x80\x99s IT Security Training Web site also includes a link\nto a Web page showing the completion rate for the computer security awareness training by\noffice.\n\nOn May 28, 2010, the Chief Information Security Officer (CISO) issued a memorandum asking\nfor support and action to ensure that all employees with significant IT security responsibilities\nare appropriately identified. The memorandum required recipients of the memorandum to report\nback to the CISO by June 11, 2010, on the names of employees within their organization that\nhave an IT security role as part of their official duties.\n\nThe agency also developed an IT Role-Based Training Plan that states the requirement for\ntraining for those with significant IT responsibilities, the type of training expected for each role,\nand frequency of training per role. System owners are responsible for using the training plan\nprocedures to address the training needs of personnel with IT roles. The training plan defines the\nfollowing IT security roles with significant IT security responsibilities that require role-based\ntraining.\n\n       IT executive.\n       System owner.\n       IT auditor.\n       IT functional manager.\n\n\n                                                 19\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n       IT senior approving official.\n       IT functional management and operations personnel (including information systems\n       security officers (ISSO), database administrator, network administrator system\n       administrator, and IT manager).\n       IT system development official.\n       IT project officer.\n       IT system developer.\n\nNRC is pursuing three approaches to address IT role-based training: NRC-provided resident\ncourses, use of ISS Line of Business (LoB) providers, and commercially provided training and\ncertifications.\n\n       NRC-provided courses: The agency already provides IT security awareness training\n       courses for ISSOs and for system and network administrators. These courses must be\n       taken upon appointment to the role and every 3 years thereafter. The agency now also\n       requires IT managers and system owners to complete role-specific training every 3 years.\n       Senior level managers and IT executive are also required to complete role-specific\n       training every 3 years. The agency developed separate courses for personnel in these\n       roles. The agency also developed a laptop security controls training course for ISSOs.\n       This course provides training in how to configure laptops with required computer security\n       controls and how to verify configuration of laptops\xe2\x80\x99 compliance with FDCC and NRC\n       requirements.\n       ISS LoB Providers: The CSO coordinated with the Department of Defense for the use of\n       its ISS LoB approved courseware for agency-wide general computer security awareness.\n       Commercial Training: The CSO IT Security Role-Based Training Web page provides\n       lists of commercially available training in three areas: technical certification/courses,\n       operating system-specific or database certifications/courses, and managerial/project\n       management certification/courses. The Web page also provides a crosswalk between the\n       12 IT security roles and the commercially available training.\n\nBased on our analysis, Carson Associates determined that the NRC security training program\nincludes the six attributes specified in the OMB requirement.\n\n\n\n\n                                              20\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n3.6     Status of POA&M Program (Question 6)\n\n                                                                                            OIG\n                                 OMB Requirement\n                                                                                          Response\n 6a. The Agency has established and is maintaining a POA&M program that is\n generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements and tracks and\n monitors known information security weaknesses. Although improvement\n opportunities may have been identified by the OIG, the program includes the\n following six attributes:\n 1. Documented policies and procedures for managing all known IT security\n     weaknesses.\n 2. Tracks, prioritizes, and remediates weaknesses.\n 3. Ensures remediation plans are effective for correcting weaknesses.\n 4. Establishes and adheres to reasonable remediation dates.\n 5. Ensures adequate resources are provided for correcting weaknesses.\n 6. Program officials and contractors report progress on remediation to CIO on a\n     regular basis, at least quarterly, and the CIO centrally tracks, maintains, and\n     independently reviews/validates the POA&M activities at least quarterly.\n 6b. The Agency has established and is maintaining a POA&M program that\n tracks and remediates known information security weaknesses. However, the                     X\n Agency needs to make significant improvements as noted below.\n      6a(2) POA&M procedures are not fully developed, sufficiently detailed or\n                                                                                               X\n      consistently implemented.\n      6a(3) POA&Ms do not include all known security weaknesses (OMB M-04-\n                                                                                               X\n      25).\n      6a(8) Initial target remediation dates are frequently missed (OMB M-04-25).              X\n      6a(9) POA&Ms are not updated in a timely manner (NIST SP 800-53, Rev. 3,\n                                                                                               X\n      Control CA-5, and OMB M-04-25).\n 6c. The Agency has not established a POA&M program.\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes a process for planning, implementing, evaluating, and\ndocumenting remedial action to address any deficiencies in the information security policies,\nprocedures, and practices of the agency. MD and Handbook 12.5 requires system\nowners/sponsors to ensure that a POA&M is developed, implemented, and maintained to track\nthe major weaknesses that have been identified for office-sponsored information systems. Each\noffice is required to regularly update the CIO on its progress in correcting system weaknesses to\nenable the CIO to provide the agency\xe2\x80\x99s quarterly FISMA update report to OMB.\n\nAgency POA&M Process \xe2\x80\x93 Background\n\nNRC has two primary tools for tracking IT security weaknesses associated with information\nsystems used or operated by the agency or by a contractor of the agency or other organization on\n\n\n                                                21\n\x0c                                                                                        Independent Evaluation of\n                                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nbehalf of the agency. At a high level, NRC uses the POA&Ms required by OMB to track (1)\ncorrective actions from the OIG annual independent evaluation; (2) corrective actions from the\nagency\xe2\x80\x99s annual review; and (3) recurring FISMA and IT security action items, such as annual\nsecurity control assessments and annual contingency plan testing. The POA&Ms may also\ninclude corrective actions resulting from other security studies conducted by or on behalf of\nNRC.\n\nThe more specific corrective actions associated with the certification and accreditation process\n(e.g., corrective actions resulting from risk assessments and security control testing) are tracked\nin Rational\xc2\xae ClearQuest\xc2\xae14 as change requests using the PMM process for change management.\nAll certification and accreditation corrective actions arising from the security control testing\nprocess and from vulnerability scans are imported into Rational ClearQuest. A corrective action\nplan is generated directly from Rational ClearQuest. System owners are responsible for\nremediation of each corrective action within the timeframes specified in the corrective action\nplan using the PMM process for change requests.\n\nThe agency developed a process for requesting quarterly POA&M updates from system owners,\ncompiling the data into a consolidated source, reviewing it for accuracy, rolling up the\ninformation, and reporting it to OMB. Five weeks prior to the quarterly submittal to OMB, the\nagency sends out a data call to the offices asking them to update the current POA&Ms for their\nsystems and add new weaknesses to the POA&Ms. Three weeks prior to the quarterly submittal\nto OMB, the agency receives the updated POA&M data from the system owners and enters the\ndata into NSICD. The agency adds any new weaknesses identified from various sources,\nincluding OIG audits and reports, Government Accountability Office audits, internal control\nreviews, annual security control testing, security test and evaluation, information security\nprogram reviews, critical infrastructure protection vulnerability assessments, risk assessments,\npenetration tests, security information assessment recommendations, security assessment reports,\nquarterly scanning, vulnerability assessment reports, and confirmed security incidents. The\nagency provides instructions on providing the quarterly updates to the POA&Ms and specifies\nthat data in only four fields on the POA&Ms should be changed: resources, brief description of\nwork/services required, changes to milestones, and status.\n\nThe FY 2007, FY 2008, and FY 2009 FISMA independent evaluations found that the quality of\nthe agency\xe2\x80\x99s POA&Ms needed improvement. Specifically, Carson Associates found that (1) the\nmetrics submitted to OMB often deviated from the actual POA&Ms, (2) the agency did not\nalways follow OMB and internal NRC POA&M guidance, (3) POA&Ms do not include all\nknown security weaknesses, (4) deficiencies were not always remediated in a timely manner, (5)\nestimated dates for remediation were not always adhered to, and (6) the agency was closing\nweaknesses without sufficient evidence from the system owner.\n\nAs a result of recommendations from the FY 2007 FISMA independent evaluation, the agency\nhas been working on automating the POA&M process and is currently using NSICD to store,\nprocess, and generate the POA&Ms. In 2008, the agency acquired the Environmental Protection\nAgency\xe2\x80\x99s FISMA reporting solution, the Automated System Security Evaluation and\nRemediation Tracking system, to further automate the POA&M and continuous monitoring\n14\n     Rational ClearQuest is an IBM software package used for software change management.\n\n\n                                                        22\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nprocesses. However, the agency identified some problems with the tool, and after 6 months of\nresearch and evaluation, the CSO picked Xacta, which was purchased in the second half of 2009,\nas the agency\xe2\x80\x99s tool for automating the POA&Ms. As of the completion of fieldwork, the\nagency had not begun using Xacta for automating the POA&Ms.\n\nThe agency also issued CSO-PROS-2016, NRC POA&M Process, V1.7, to ensure quality\nassurance is emphasized. The document includes a process for conducting independent\nverification and validation of POA&Ms to assure their adequacy as part of the security\nassessment review process. Additionally, CSO acquired additional contract support to assist in\nestablishing a compliance review process in which CSO will review security documentation,\nconduct vulnerability scanning, and meet with each system owner on an annual basis to verify\nthe status of remediation efforts, assess the comprehensiveness of planned corrective actions, and\nvalidate the accuracy of tasks, responsibilities, and milestones for each outstanding weakness.\nThese activities take place quarterly, targeting approximately 25 percent of the overall number of\nPOA&Ms. The first POA&M scoring notifications were issued in the 2nd quarter of FY 2010.\nThe POA&M process was also briefed to various system owners and internal forums.\n\nThe agency\xe2\x80\x99s new POA&M procedures also require corrective actions to be ranked based upon\nthe most critical security weaknesses and their impact on the agency\xe2\x80\x99s mission. This ranking\nshould be reflected in the POA&Ms by listing identified weaknesses in priority order,\nirrespective of the weakness identifier (which is sequentially derived). The procedures state that\nthe overall severity of the weakness should be considered in conjunction with the system risk\nimpact level when prioritizing the mitigation of weaknesses. Weakness severity is the potential\nmagnitude of loss that could result from weakness exploitation. The POA&Ms includes a\nweakness severity (called risk level) column that can be used to prioritize security weaknesses.\nHowever, the agency has not implemented the process described above for prioritizing security\nweaknesses.\n\nFINDING \xe2\x80\x93 The Agency\xe2\x80\x99s POA&M Program Still Needs Improvement (Repeat Finding)\n\nDespite the issuance of the new NRC POA&M Process, the implementation of the POA&M\nscoring, and the briefing of the POA&M process to various system owners and internal forums,\nthe agency\xe2\x80\x99s POA&M program still needs improvement. This is primarily due to the manual\nprocess still in use for managing and updating the POA&Ms.\n\nThe agency\xe2\x80\x99s POA&M program may include some of the six attributes specified in the OMB\nrequirement; however, as in previous independent evaluations, Carson Associates found that the\nquality of the agency\xe2\x80\x99s POA&Ms is not improving. In assessing the agency\xe2\x80\x99s POA&M program,\nCarson Associates found that (1) POA&M procedures are not fully developed, sufficiently\ndetailed, or consistently implemented; (2) POA&Ms do not include all known security\nweaknesses; (3) initial target remediation dates are frequently missed; and (4) POA&Ms are not\nupdated in a timely manner.\n\n\n\n\n                                                23\n\x0c                                                                                     Independent Evaluation of\n                                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n(1) POA&M Procedures Are Not Fully Developed, Sufficiently Detailed, or Consistently\n    Implemented\n\nAs in previous independent evaluations, Carson Associates found that the following problems\nwith POA&M procedures still persist: (1) the metrics submitted to OMB often deviated from the\nactual POA&Ms, (2) the agency is not always following OMB and internal NRC POA&M\nguidance, and (3) the agency is closing weaknesses without sufficient evidence from the system\nowners.\n\n           Metrics Submitted to OMB Deviate From the Actual POA&Ms: As in previous\n           independent evaluations, Carson Associates found discrepancies between the metrics\n           submitted to OMB and the actual POA&Ms. The most common errors causing the\n           discrepancies are:\n\n           -   Counting weaknesses as closed in more than one quarter.\n           -   Counting weaknesses as closed when they have not been closed by the OIG.\n           -   Reporting weaknesses as on track when they are actually delayed.\n           -   Reporting weaknesses as delayed when they are still on track.\n\n           The Agency Is Not Always Following OMB and NRC Internal POA&M Guidance:\n           As in previous FISMA evaluations, Carson Associates also found that the agency is not\n           always following OMB\xe2\x80\x99s POA&M guidance. The agency is also not following NRC\n           internal POA&M guidance. The following are some examples of deviations from OMB\n           and NRC internal POA&M guidance found on the POA&Ms that were analyzed.\n\n           - Weaknesses with completion dates over a year old are not always removed from the\n             POA&Ms. OMB guidance15 states that weaknesses that are no longer undergoing\n             correction and have been completely mitigated for over a year should no longer be\n             reported in the agency POA&Ms.\n           - Weaknesses with changes made to scheduled completion dates. OMB guidance states\n             that once an agency has completed the initial POA&M, no changes should be made to\n             the scheduled completion date.\n           - Weaknesses without scheduled completion dates. Several items added to the\n             POA&Ms did not have scheduled completion dates.\n           - Weaknesses not properly marked to indicate they were closed in a previous quarter,\n             but are being reported as closed in a later quarter (NRC requirement).\n\n           The Agency Continues To Close Weaknesses Without Sufficient Evidence from the\n           System Owners: As in the FY 2008 and FY 2009 FISMA independent evaluations,\n           Carson Associates found that the agency is sometimes closing weaknesses without\n           sufficient evidence from the system owners. During our analysis of weaknesses\n           identified during the FY 2010 annual security control testing, we found many instances\n\n15\n     OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\n     Act.\n\n\n                                                      24\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n       where weaknesses that had been previously closed were still found to be present. In\n       some instances, the weaknesses were added back to the POA&Ms with the FY 2010\n       annual security control testing results.\n\n(2) POA&Ms Do Not Include All Known Security Weaknesses\n\nThe POA&M process is an agencywide process, but the POA&Ms do not include all known\nsecurity weaknesses. For example, the POA&Ms do not include all weaknesses identified in OIG\naudits. The new agency POA&M procedures require new weaknesses to be added to the\nPOA&Ms within 15 days of discovery. However, weaknesses from one of the regional reviews\nconducted in FY 2009 were not added to the POA&Ms until more than 3 months after the reports\nwere issued. In addition, not all the weaknesses from the FY 2009 regional reviews were added\nto the POA&Ms. One report had eight weaknesses, but only four were added to the POA&Ms.\nAnother report had 10 weaknesses, but only 7 were added to the POA&Ms. A third report had\nsix weaknesses, but only five were added to the POA&Ms. Carson Associates also determined\nthat none of the recommendations from the FY 2010 contingency plan testing, and not all of the\nweaknesses identified during the FY 2010 annual security control testing, have been added to the\nPOA&Ms.\n\n(3) Initial Target Remediation Dates Are Frequently Missed\n\nCarson Associates analyzed the POA&Ms for the four systems selected for evaluation in FY\n2010 in order to determine if target remediation dates are met. Three of the four systems had at\nleast one weakness that was closed between 5 and 8 months after the scheduled completion date.\nOne system had 3 weaknesses that were closed over a year after their scheduled completion\ndates. Two of the four systems have more than half of their open weaknesses overdue. One\nsystem has more than half of its open weaknesses overdue by more than 1 year.\n\n(4) POA&Ms Are Not Updated in a Timely Manner\n\nCarson Associates analyzed all of the agency\xe2\x80\x99s FY 2010 POA&M submissions to OMB to\ndetermine whether POA&Ms are updated in a timely manner. We found multiple instances of\nPOA&M items being reported closed more than 3 months after they were actually closed. For\nexample, there were more than 100 POA&M items reported closed at least 1 quarter after they\nwere actually closed. In addition, we found multiple instances of the agency not counting\nweaknesses as closed when they had been closed by the OIG prior to the cutoff date for POA&M\nreporting.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Implement an automated tool to ensure the agency\xe2\x80\x99s POA&M procedures are consistently\n      implemented.\n   2. Perform more frequent independent verification and validation of POA&Ms to ensure\n      POA&Ms include all known security weaknesses, including those identified in OIG\n\n\n\n                                               25\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n       audits, contingency plan testing, and annual security control testing, and to ensure\n       POA&Ms are updated in a timely manner.\n\nNRC Progress in Correcting Weaknesses Reported on Its POA&Ms Is Improving\n\nThe agency progress in correcting weaknesses reported on its POA&Ms is improving. In FY\n2008 (quarters 1, 2, and 3), the agency closed just over 45 percent of its program level\nweaknesses and just over 43 percent of its system level weaknesses, which was somewhat of an\nimprovement over FY 2007. However, in FY 2009 (FY 2008 4th quarter, and all quarters of FY\n2009), the agency closed only 30 percent of its program level weaknesses and just over 40\npercent of its system level weaknesses, which is less than in FY 2008. In FY 2010, the agency\nclosed just over 46 percent of its program level weaknesses and just over 68 percent of its system\nlevel weaknesses, which is an improvement over FY 2009.\n\n3.7    Status of Remote Access Program (Question 7)\n\n                                                                                            OIG\n                                 OMB Requirement\n                                                                                          Response\n 7a. The Agency has established and is maintaining a remote access program that\n is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although\n improvement opportunities may have been identified by the OIG, the program\n includes the following seven attributes:\n 1. Documented policies and procedures for authorizing, monitoring, and\n     controlling all methods of remote access.\n 2. Protects against unauthorized connections or subversion of authorized\n     connections.\n 3. Users are uniquely identified and authenticated for all access.                            X\n 4. If applicable, multi-factor authentication is required for remote access.\n 5. Authentication mechanisms meet NIST Special Publication 800-63 guidance\n     on remote electronic authentication, including strength mechanisms.\n 6. Requires encrypting sensitive files transmitted across public networks or\n     stored on mobile devices and removable media such as CDs and flash drives.\n 7. Remote access sessions are timed-out after a maximum of 30 minutes of\n     inactivity after which re-authentication is required.\n 7b. The Agency has established and is maintaining a remote access program.\n However, the Agency needs to make significant improvements as noted below.\n 7c. The Agency has not established a program for providing secure remote\n access.\n\nOn June 26, 2008, the agency issued the NRC Computer Security Information Protection Policy\nto address requirements specified OMB Memorandum M-06-16, Protection of Sensitive Agency\nInformation, and M-06-19, Reporting Incidents Involving PII and Incorporating the Cost for\nSecurity in Agency IT Investments. The policy includes the requirement for remote access to any\n\n\n\n                                                26\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nsystem that processes non-public NRC information to be constrained by a \xe2\x80\x9ctime-out\xe2\x80\x9d function\nthat requires re-authentication after 30 minutes of inactivity.\n\nIn December 2008, the agency issued a computer security policy for encryption of data at rest\nprior to removal from agency facilities, and updated NUREG/BR-168, Guide for IT Security,\nPolicy for Processing Unclassified Safeguards Information on NRC Computers. This policy\nrequires the use of encryption to protect sensitive data at rest, including when stored on media\nsuch as CDs, DVDs, thumb drives, backups, and external hard drives. The policy also states that\nthe agency will be issuing a separate policy to address encryption of transmitted data.\n\nOn May 21, 2009, the agency issued the NRC Agencywide Rules of Behavior for Authorized\nComputer Use. The rules of behavior are provided to NRC computer users as part of the annual\ncomputer security awareness training course, and apply to all NRC employees, contractors,\nvendors, and agents (users) who have access to any system operated by the NRC or by a\ncontractor or outside entity on behalf of the NRC. The rules of behavior include a requirement\nfor users to use only NRC-approved technologies for remote access to the NRC network.\n\nThe NRC Remote Access Program Is Generally Consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA\nRequirements\n\nIn order to evaluate the agency\xe2\x80\x99s remote access program, Carson Associates reviewed the\nagency\xe2\x80\x99s policies, procedures and guidance related to remote access. To determine if the\nagency\xe2\x80\x99s remote access program includes the seven attributes specified in the OMB requirement,\nin addition to the agency\xe2\x80\x99s remote access policies, procedures, and guidelines, we reviewed the\nannual security control test report for the agency\xe2\x80\x99s common controls and the security test and\nevaluation results for the four systems selected for evaluation in FY 2010, specifically the test\nresults for the AC-17 control, Remote Access. This control requires organizations to authorize,\nmonitor, and control all methods of remote access to their information systems.\n\nNRC provides centralized remote access via a component of its IT infrastructure system. After\nremote access through the centralized component, users have the same access to the network,\nNRC information, and NRC information systems as if they were logged into the network locally.\nThe agency monitors remote access via a variety of mechanisms. At the common control level,\nthis control was found to be in place. Of the four systems reviewed, this control was in place for\none system (provided by the agency\xe2\x80\x99s IT infrastructure system), partially in place for one system,\nplanned for one system, and not applicable for one system. The agency is in the process of\nprocuring modems with Federal Information Processing Standard (FIPS) 140-2, Security\nRequirements for Cryptographic Modules, validated cryptographic capabilities for one system\nand has determined that there are compensating controls in place for the other system in which\nthis control was identified as inadequate.\n\nBased on our analysis, Carson Associates determined that the NRC remote access program\nincludes the seven attributes specified in the OMB requirement.\n\n\n\n\n                                                27\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n3.8    Status of Account and Identity Management Program (Question 8)\n\n                                                                                            OIG\n                                 OMB Requirement\n                                                                                          Response\n 8a. The Agency has established and is maintaining an account and identity\n management program that is generally consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA\n requirements and identifies users and network devices. Although improvement\n opportunities may have been identified by the OIG, the program includes the\n following seven attributes:\n 1. Documented policies and procedures for account and identity management.\n 2. Identifies all users, including federal employees, contractors, and others who\n     access Agency systems.\n 3. Identifies when special access requirements (e.g., multi-factor authentication)\n     are necessary.                                                                            X\n 4. If multi-factor authentication is in use, it is linked to the Agency\xe2\x80\x99s personal\n     identity verification program.\n 5. Ensures that the users are granted access based on needs and separation of\n     duties principles.\n 6. Identifies devices that are attached to the network and distinguishes these\n     devices from users.\n 7. Ensures that accounts are terminated or deactivated once access is no longer\n     required.\n 8b. The Agency has established and is maintaining an account and identity\n management program that identifies users and network devices. However, the\n Agency needs to make significant improvements as noted below.\n 8c. The Agency has not established an account and identity management program.\n\nMD and Handbook 12.5, Appendix A, Section 2.1, provides an agencywide identification and\nauthentication policy for all systems. System owners may develop a system-specific\nidentification and authentication policy to address system-specific requirements. System owners\nare responsible for developing, disseminating, reviewing, and updating formal, documented\nsystem-specific procedures to facilitate policy-compliant implementation of the identification\nand authentication policy and associated controls.\n\nThe NRC Account and Identity Management Program Is Generally Consistent with NIST\xe2\x80\x99s\nand OMB\xe2\x80\x99s FISMA Requirements\n\nIn order to evaluate the agency\xe2\x80\x99s account and identity management program, Carson Associates\nreviewed the agency\xe2\x80\x99s policies, procedures and guidance related to account and identity\nmanagement. To determine if the agency\xe2\x80\x99s account and identity management program includes\nthe seven attributes specified in the OMB requirement, in addition to the agency\xe2\x80\x99s remote access\npolicies, procedures, and guidelines, we reviewed the security test and evaluation results for the\nfour systems selected for evaluation in FY 2010. Test results for the following controls related\nto account and identity management were reviewed:\n\n\n                                                28\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\n       AC-2, Account Management \xe2\x80\x93 Requires organizations to manage information system\n       accounts, including establishing, activating, modifying, reviewing, disabling, and\n       removing accounts, and to review system accounts at least annually.\n       IA-2, User Identification and Authentication \xe2\x80\x93 Requires information systems to uniquely\n       identify and authenticate users (or processes acting on behalf of users). Also specifies\n       requirements for the use of multi-factor authentication.\n       IA-3, Device Identification and Authentication \xe2\x80\x93 Requires information systems to\n       identify and authenticate specific devices before establishing a connection.\n       IA-4, Identifier Management \xe2\x80\x93 Requires organizations to manage user identifiers by (i)\n       uniquely identifying each user; (ii) verifying the identity of each user; (iii) receiving\n       authorization to issue a user identifier from an appropriate organization official; (iv)\n       issuing the user identifier to the intended party; (v) disabling the user identifier after an\n       organization-defined period of inactivity; and (vi) archiving user identifiers.\n\nWe also reviewed the annual security control test report for the agency\xe2\x80\x99s common controls,\nspecifically for control IA-1, Identification and Authentication Policy and Procedures. This\ncontrol requires organizations to develop, disseminate, and periodically review/update (i) a\nformal, documented, identification and authentication policy that addresses purpose, scope, roles,\nresponsibilities, management commitment, coordination among organizational entities, and\ncompliance; and (ii) formal, documented procedures to facilitate the implementation of the\nidentification and authentication policy and associated identification and authentication controls.\nThe testing found that the agency has developed and disseminated an agencywide identification\nand authentication policy for all systems; however, periodic reviews and updates of the\nidentification and authentication policy and procedures within MD and Handbook 12.5 have not\nbeen accomplished. MD and Handbook 12.5 is currently undergoing an update. In addition, the\ntesting found that the identification and authentication policy does not sufficiently address\npurpose, scope, roles and responsibilities, management commitment, coordination among\norganizational entities, and compliance.\n\nOf the four systems reviewed, these controls were not applicable for one system. One or more of\nthese controls were found to be not in place for the other three systems. Specific issues included\nproblems with granting access without proper authorization, reviewing accounts, disabling\ninactive accounts, and auditing account management actions. The agency has corrected some of\nthe identified deficiencies and is in the process of correcting the remaining items. Testing also\nidentified issues with the use of multi-factor authentication for certain types of access.\nResolution of this issue is dependent on completion of the agency\xe2\x80\x99s implementation of the\nHSPD-12 personal identity verification card.\n\nBased on our analysis, Carson Associates determined that the NRC account and identity\nmanagement program includes the seven attributes specified in the OMB requirement.\n\n\n\n\n                                                 29\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n3.9    Status of Continuous Monitoring Program (Question 9)\n\n                                                                                             OIG\n                                  OMB Requirement\n                                                                                           Response\n 9a. The Agency has established an entity-wide continuous monitoring program\n that assesses the security state of information systems that is generally consistent\n with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s FISMA requirements. Although improvement\n opportunities may have been identified by the OIG, the program includes the\n following four attributes:\n 1. Documented policies and procedures for continuous monitoring.\n 2. Documented strategy and plans for continuous monitoring, such as\n     vulnerability scanning, log monitoring, notification of unauthorized devices,              X\n     sensitive new accounts, etc.\n 3. Ongoing assessments of selected security controls (system-specific, hybrid,\n     and common) that have been performed based on the approved continuous\n     monitoring plans.\n 4. Provides system authorizing officials and other key system officials with\n     security status reports covering updates to security plans and security\n     assessment reports, as well as POA&M additions.\n 9b. The Agency has established an entity-wide continuous monitoring program\n that assesses the security state of information systems. However, the Agency\n needs to make significant improvements as noted below.\n 9c. The Agency has not established a continuous monitoring program.\n\nFISMA requires agencies to develop, document, and implement an agencywide information\nsecurity program that includes periodic testing and evaluation of the effectiveness of information\nsecurity policies, procedures, and practices, to be performed with a frequency depending on risk,\nbut no less than annually. Such testing shall include testing of management, operational, and\ntechnical controls of every information system identified in the inventory required by FISMA.\n\nNIST SP 800-53 requires organizations to establish a continuous monitoring strategy and\nimplement a continuous monitoring program that includes (i) a configuration management\nprocess for the information system and its constituent components, (ii) a determination of the\nsecurity impact of changes to the information system and environment of operation, (iii) ongoing\nsecurity control assessments in accordance with the organizational continuous monitoring\nstrategy, and (iv) reporting the security state of the information system to appropriate\norganizational officials at a frequency to be determined by the organization.\n\nThe NRC Continuous Monitoring Program Is Generally Consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nFISMA Requirements\n\nIn order to evaluate the agency\xe2\x80\x99s continuous monitoring program, Carson Associates reviewed\nthe agency\xe2\x80\x99s policies, procedures, and guidance related to continuous monitoring. To determine\nif the agency\xe2\x80\x99s continuous monitoring program includes the four attributes specified in the OMB\nrequirement, in addition to the agency\xe2\x80\x99s continuous monitoring policies, procedures, and\n\n\n                                                 30\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nguidelines, we reviewed the continuous monitoring activities performed for all of the agency\xe2\x80\x99s\noperational systems, including contractor systems.\n\nThe agency Executive Director for Operations issued a memorandum in January 2010 requiring\nsystem owners to perform continuous monitoring activities required for FISMA. System owners\nwere required to take the following actions:\n\n   1. Prepare a schedule of planned contingency plan testing and annual security controls\n      testing, with a completion date that does not exceed 1 year from the last time such testing\n      was performed.\n   2. Submit an updated contingency plan test plan and contingency plan test report to CSO.\n   3. Perform annual security testing and ensure that all annual security control testing reports\n      are submitted in a timely fashion.\n   4. For systems owned and/or operated by other agencies or contractors, obtain a\n      memorandum from the owning/operating agency/contractor stating that annual\n      contingency plan and security control testing has been performed in accordance with\n      FISMA and NRC instructions, and submit the memorandum to CSO by July 30, 2010.\n   5. If applicable, reauthorize systems in accordance with FISMA and NRC requirements.\n   6. Update all security-related documentation in accordance with FISMA and NRC\n      requirements.\n   7. Proactively track and mitigate POA&M weaknesses identified during the course of\n      ongoing security activities and submit a POA&M transmittal memorandum each quarter\n      to CSO.\n\nSystems that were authorized to operate within the past fiscal year already had their security\ncontrols tested and, therefore, did not require additional annual security control testing. The\nCSO identified a set of 96 core controls that must be assessed annually for all systems. System\nowners were required to select additional controls with an emphasis on controls associated with\nPOA&M items that have been closed within the past year, and with additional controls selected\nby the authority of the system owner and controls added by Revision 3 of NIST SP 800-53.\n\nThe agency also issued CSO-PROS-1323, US NRC Agency-wide Continuous Monitoring\nProgram, in June 2010. This document provides direction for NRC continuous monitoring\nactivities and describes the process for annual continuous monitoring reviews, related roles and\nresponsibilities and evaluation criteria. Continuous monitoring reviews are conducted on each\noffice and their respective systems once per fiscal year to provide system owners and the\ndesigned approving authorities with insight into the agencywide IT security posture.\n\nContingency plan testing is discussed in Section 3.10. Procedures for the oversight of contractor\nsystems are discussed in Section 3.11. The agency\xe2\x80\x99s certification and accreditation program is\ndiscussed in Section 3.2. The agency\xe2\x80\x99s POA&M program is discussed in Section 3.6. Annual\nsecurity control testing and security plan updates are discussed below.\n\nCarson Associates determined that the NRC continuous monitoring program includes the four\nattributes specified in the OMB requirement.\n\n\n                                                31\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\nNRC Has Completed Annual Security Control Testing for All Agency Systems and for All\nContractor Systems\n\nSix of the agency\xe2\x80\x99s 25 operational systems and 1 of the agency\xe2\x80\x99s 3 contractor systems were\nauthorized to operate in the past fiscal year and, therefore, did not require additional annual\nsecurity control testing. The remaining 19 agency systems and 2 contractor systems required\nannual security control testing. As of the completion of fieldwork for FY 2010, annual security\ncontrol testing was completed for the 19 agency systems and 2 contractor systems that required\nsuch testing.\n\n              Table 3-3. Total Number of Systems and Number Reviewed\n      for Which Security Controls Have Been Tested and Reviewed in the Past Year\n                           by FIPS 199 System Impact Level\n          FIPS 199 System                                      Total           Number\n                                Agency       Contractor\n            Impact Level                                      Number          Reviewed\n                High               9                1            10                2\n              Moderate             16               1            17                2\n                Low                0                1            1                 0\n          Not Categorized          0                0            0                 0\n                Total              25               3            28                4\n\nNRC Has Updated Security Plans for All Agency Systems and for All Contractor Systems\n\nAs of the completion of fieldwork for FY 2010, all 25 agency systems, and all 3 contractor\nsystems for which NRC has direct oversight had new or updated security plans.\n\n\n\n\n                                               32\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n3.10   Status of Contingency Planning Program (Question 10)\n\n                                                                                            OIG\n                                  OMB Requirement\n                                                                                          Response\n 10a. The Agency has established and is maintaining an entity-wide business\n continuity/disaster recovery program that is generally consistent with NIST\xe2\x80\x99s and\n OMB\xe2\x80\x99s FISMA requirements. Although improvement opportunities may have\n been identified by the OIG, the program includes the following seven attributes:\n 1. Documented business continuity and disaster recovery policy providing the\n    authority and guidance necessary to reduce the impact of a disruptive event or\n    disaster.\n 2. The agency has performed an overall Business Impact Assessment.\n 3. Development and documentation of division, component, and IT infrastructure                X\n    recovery strategies, plans and procedures.\n 4. Testing of system specific contingency plans.\n 5. The documented business continuity and disaster recovery plans are ready for\n    implementation.\n 6. Development of training, testing, and exercises (TT&E) approaches.\n 7. Performance of regular ongoing testing or exercising of continuity/disaster\n    recovery plans to determine effectiveness and to maintain current plans.\n 10b. The Agency has established and is maintaining an entity-wide business\n continuity/disaster recovery program. However, the Agency needs to make\n significant improvements as noted below.\n 10c. The Agency has not established a business continuity/disaster recovery\n program.\n\nFISMA requires agencies to develop plans and procedures to ensure continuity of operations for\ninformation systems that support the operations and assets of the agency. NIST SP 800-34,\nContingency Planning Guide for Information Technology Systems, states that contingency plans\nshould be tested at least annually and when significant changes are made to the information\nsystem, supported business process(es), or the contingency plan. MD and Handbook 12.5 states\nthat the NRC shall comply with the NIST guidance to include guidance related to the preparation\nof security documentation (such as system security plans, IT risk assessments, and IT\ncontingency plans) and other applicable NIST automated information security guidance for IT\nsecurity processes, procedures, and testing. MD and Handbook 12.5 also states that IT\ncontingency plans for major applications and general support systems shall be tested each year.\nA live test provides the best indication of the adequacy of a contingency plan test. If a live test\ncannot be conducted due to operational constraints, a simulated test may be conducted in lieu of\nthe live test. NRC CSO and OIS procedures also require annual contingency plan testing for all\nmajor applications and general support systems, including generating a contingency plan test\nreport.\n\n\n\n\n                                                33\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nThe NRC Contingency Planning Program Is Generally Consistent with NIST\xe2\x80\x99s and OMB\xe2\x80\x99s\nFISMA Requirements\n\nIn order to evaluate the agency\xe2\x80\x99s contingency planning program, Carson Associates reviewed the\nagency\xe2\x80\x99s policies, procedures and guidance related to contingency planning. To determine if the\nagency\xe2\x80\x99s contingency planning program includes the seven attributes specified in the OMB\nrequirement, in addition to the agency\xe2\x80\x99s contingency planning policies, procedures, and\nguidelines, we reviewed the contingency plans and contingency plan test reports for all of the\nagency\xe2\x80\x99s operational systems, including contractor systems.\n\nIn early 2009, the agency conducted a business impact analysis in support of the development of\nthe NRC Disaster Recovery Plan. The purpose of the analysis was to collect information from\neach office to document business processes along with other relevant information supporting the\nagency\xe2\x80\x99s mission. In the near term, this data will be used to form the basis for prioritization of\n\xe2\x80\x9cbusiness critical\xe2\x80\x9d IT systems currently in use at the NRC to determine systems to be covered\nunder the disaster recovery plan. This information will also be used in the development of long\nterm funding needs to support the disaster recovery solution for the NRC.\n\nCarson Associates determined that the NRC contingency planning program includes the seven\nattributes specified in the OMB requirement.\n\nAnnual Contingency Plan Testing Was Completed for Almost All Agency Systems and All\nContractor Systems\n\nThe Executive Director for Operations issued a memorandum in January 2010 requiring system\nowners to perform continuous monitoring activities required for FISMA, including completing\nannual contingency plan testing of all major applications and general support systems. System\nowners were required to prepare a schedule of planned contingency plan testing with a\ncompletion date that does not exceed 1 year from the last time such testing was performed.\n\nAs of the completion of fieldwork for FY 2010, contingency plan testing16 was completed for 24\nof the agency\xe2\x80\x99s 25 operational information systems and for all 3 contractor systems for which\nNRC has direct oversight. The one system for which contingency plan testing has not yet\noccurred is a new system that just went into production in early 2010. This system is undergoing\na scope change resulting in a delay in developing and testing the contingency plan. In addition,\n24 of the agency\xe2\x80\x99s 25 operational NRC information systems and all 3 contractor systems have\ncurrent contingency plans. It should be noted that the contingency plan for one of the agency\xe2\x80\x99s\noperational systems was not updated until after the September 30, 2010 cutoff date for reporting\ncompletion metrics. It should also be noted that in its 4th quarter FISMA metrics, the agency\nreported 100 percent of their systems had contingency plans tested in accordance with policy,\nwhen in fact; one system has not had its contingency plan tested.\n\n\n\n\n16\n     Any testing performed between October 1, 2009, and the completion of fieldwork would be considered as FY\n     2010 test results.\n\n\n                                                         34\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n              Table 3-4. Total Number of Systems and Number Reviewed\n       for Which Contingency Plans Have Been Tested in Accordance With Policy\n                           by FIPS 199 System Impact Level\n          FIPS 199 System                                      Total           Number\n                                Agency        Contractor\n            Impact Level                                      Number          Reviewed\n                High               9                1            10                2\n             Moderate              15               1            16                2\n                Low                0                1            1                 0\n          Not Categorized          0                0            0                 0\n                Total              24               3            27                4\n\n3.11   Status of Agency Program To Oversee Contractor Systems (Question 11)\n\n                                                                                           OIG\n                                 OMB Requirement\n                                                                                         Response\n 11a. The Agency has established and maintains a program to oversee systems\n operated on its behalf by contractors or other entities. Although improvement\n opportunities may have been identified by the OIG, the program includes the\n following six attributes:\n 1. Documented policies and procedures for information security oversight of\n     systems operated on the Agency\xe2\x80\x99s behalf by contractors or other entities the\n     Agency obtains sufficient assurance that security controls of systems operated\n     by contractors or others on its behalf are effectively implemented and comply\n     with federal and agency guidelines.\n 2. A complete inventory of systems operated on the Agency\xe2\x80\x99s behalf by                        X\n     contractors or other entities.\n 3. The inventory identifies interfaces between these systems and Agency-\n     operated systems.\n 4. The agency requires agreements (MOUs, Interconnect Service Agreements,\n     contracts, etc.) for interfaces between these systems and those that is owns\n     and operates.\n 5. The inventory, including interfaces, is updated at least annually.\n 6. Systems that are owned or operated by contractors or entities are subject to\n     and generally meet NIST and OMB\xe2\x80\x99s FISMA requirements.\n 11b. The Agency has established and maintains a program to oversee systems\n operated on its behalf by contractors or other entities. However, the Agency\n needs to make significant improvements as noted below.\n 11c. The Agency does not have a program to oversee systems operated on its\n behalf by contractors or other entities.\n\nFISMA requires agencies to provide information security protections commensurate with the risk\nand magnitude of harm resulting from unauthorized access, use, disclosure, disruption,\n\n\n                                               35\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nmodification, or destruction of (1) information collected or maintained by or on behalf of the\nagency or (2) information systems used or operated by an agency or by a contractor of an agency\nor other organization on behalf of an agency.17\n\nNRC defines two types of systems that are operated by a contractor or other organization on\nbehalf of NRC \xe2\x80\x93 contractor systems and e-Government systems. A contractor system is a system\nthat processes NRC information and is operated and maintained by a contractor, and an\ne-Government system is a system that processes NRC information and is operated and\nmaintained by another Federal agency.\n\nThe agency follows the same policies, procedures, and guidance in MD and Handbook 12.5 for\ncontractor systems as it does for agency systems. All contractor systems must be certified and\naccredited prior to processing any sensitive NRC information or connecting to the NRC\ninfrastructure and must undergo annual security control testing and annual contingency plan\ntesting. Contractor systems are also required to undergo recertification and reaccreditation per\nNRC policy.\n\nFor e-Government systems, the agency requires the responsible NRC system owner to\ndemonstrate those systems meet FISMA requirements by providing proof of authority to operate,\nannual security control testing, and annual contingency plan testing. The agency also requires a\nprivacy impact assessment and a security categorization for all e-Government systems. The\nagency may also require service level agreements or memoranda of understanding/agreement\nwith those agencies.\n\nIn addition to three contractor systems, NRC has eight e-Government systems, all considered to\nbe major applications. Oversight of these systems is the responsibility of the Federal agencies\noperating the systems.\n\nThe NRC Program To Oversee Contractor Systems Is Generally Consistent with NIST\xe2\x80\x99s\nand OMB\xe2\x80\x99s FISMA Requirements\n\nIn order to evaluate the agency\xe2\x80\x99s program to oversee contractor systems, Carson Associates\nreviewed the agency\xe2\x80\x99s policies, procedures and guidance related to contractor oversight. To\ndetermine if the agency\xe2\x80\x99s program to oversee contractor systems includes the six attributes\nspecified in the OMB requirement, in addition to the agency\xe2\x80\x99s contractor oversight policies,\nprocedures, and guidelines, we reviewed the agency\xe2\x80\x99s inventory of systems; agreements such as\nMOUs, interconnection service agreements, and contracts; and annual security control test\nreports, certification and accreditation documents, and contingency plans and contingency plan\ntest reports for the three contractor systems for which NRC has direct oversight.\n\nWe also reviewed proof of authority to operate, annual security control testing, and annual\ncontingency plan testing for the eight e-Government systems, as well as the required privacy\nimpact assessments and security categorizations.\n\n\n17\n      Information systems used or operated by a contractor of an agency or other organization on behalf of the agency\n     refers to information systems that the agency considers to be either major applications or general support systems.\n\n\n                                                             36\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nCarson Associates determined that the NRC contractor oversight program includes the six\nattributes specified in the OMB requirement.\n\nAgency Oversight of Contractor Systems Meets FISMA Requirements\n\nAs of the completion of fieldwork for FY 2010, all three contractor systems for which NRC has\ndirect oversight had a current certification and accreditation. One was authorized to operate in\nFY 2010 and did not require additional annual security control testing. The other two had their\nsecurity controls tested and reviewed in the past year. All three have completed annual\ncontingency plan testing.\n\n\n\n\n                                               37\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              38\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Implement an automated tool to ensure the agency\xe2\x80\x99s POA&M procedures are consistently\n       implemented.\n    2. Perform more frequent independent verification and validation of POA&Ms to ensure\n       POA&Ms include all known security weaknesses, including those identified in OIG\n       audits, contingency plan testing, and annual security control testing, and to ensure\n       POA&Ms are updated in a timely manner.\n\n\n\n\n                                              39\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              40\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n5      Agency Comments\n\nAt an exit conference on November 5, 2010, agency officials agreed with the report\xe2\x80\x99s findings\nand recommendations and provided some editorial changes, which the OIG incorporated as\nappropriate. The agency opted not to submit formal comments.\n\n\n\n\n                                               41\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              42\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\nAppendix.         SCOPE AND METHODOLOGY\n\nCarson Associates performed an independent evaluation of NRC\xe2\x80\x99s Implementation of FISMA\nfor FY 2010. To conduct the independent evaluation, the team met with agency staff responsible\nfor implementing the agency\xe2\x80\x99s information system security program, reviewed certification and\naccreditation documentation for the agency\xe2\x80\x99s operational information systems, and reviewed\nother documentation provided by the agency that demonstrated its implementation of FISMA.\n\nAll analyses were performed in accordance with guidance from the following:\n\n       National Institute of Standards and Technology standards and guidelines.\n       Nuclear Regulatory Commission Management Directive and Handbook 12.5, NRC\n       Automated Information Security Program.\n       NRC Office of the Inspector General audit guidance.\n\nThis work was conducted between April 2010 and September 2010. Any information received\nfrom the agency subsequent to the completion of fieldwork was incorporated when possible.\nThe work was conducted by Jane M. Laroussi, CISSP; Joe Rood, CISSP, CISA; John Braden,\nCISSP; and Edwin Caron, CISA, from Richard S. Carson and Associates, Inc.\n\n\n\n\n                                              43\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2010\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              44\n\x0c'